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Abstract 

We consider error correction in quantum key distribu- 
tion. To avoid that Alice and Bob unwittingly end up 
with different keys precautions must be taken. Before 
running the error correction protocol, Bob and Al- 
ice normally sacrifice some bits to estimate the error 
rate. To reduce the probability that they end up with 
different keys to an acceptable level, we show that a 
large number of bits must be sacrificed. Instead, if 
Alice and Bob can make a good guess about the er- 
ror rate before the error correction, they can verify 
that their keys are similar after the error correction 
protocol. This verification can be done by utilizing 
properties of Low Density Parity Check codes used in 
the error correction. We compare the methods and 
show that by verification it is often possible to sac- 
rifice less bits without compromising security. The 
improvement is heavily dependent on the error rate 
and the block length, but for a key produced by the 
IdQuantique system Clavis^, the increase in the key 
rate is approximately 5 percent. We also show that 
for systems with large fluctuations in the error rate 
a combination of the two methods is optimal. 

Introduction 

Quantum Key Distribution (QKD) [T] is a method to 
distribute a secret key between two parties, Alice and 
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Bob, through a quantum channel. An eavesdropper 
Eve is allowed full control over the channel. After the 
communication through the quantum channel Alice 
and Bob reconcile their keys using an error correction 
protocol. Using a privacy amplification protocol [H 
[3] any information Eve might have about the key is 
removed. The unconditional security of the entire 
protocol can be proven using the laws of quantum 
mechanics [4l|5l|6]. 

For practical QKD, the secret key rate is an im- 
portant factor. The main limitations on the key rate 
is the transmission efficiency of the quantum chan- 
nel and the performance of detectors at the receiving 
end of the channel, especially detector dead time. De- 
veloping better equipment is therefore important for 
making QKD a viable alternative for secure commu- 
nication. However it is also possible to increase the 
key rate by more efficient error correction and privacy 
amplification protocols. 

Due to imperfect equipment and Eves possible ac- 
tions during the distribution phase, errors between 
Alice and Bobs keys are inevitable. Thus they need 
to do error correction, ending up with identical keys. 
This is done by classical communication on an au- 
thenticated channel. Because this communication 
reveals some information about the key, either the 
communication must be encrypted using previously 
established key, or additional privacy amplification 
must be used. Thus it is important to have an effec- 
tive error correction protocol, revealing as little in- 
formation about them as possible. Assuming a block 
of N bits, containing N6 errors, the number of bits L 
lost in error correction is lower bounded by the Shan- 
non limit For a perfect protocol, working at the 



Shannon limit we have 

L = Nh{5) (1) 

Here /i(-) is the binary entropy function h{p) = 
-plogp - (1 - p) log(l - p). 

Error correction 

Error correction in QKD is generally done by ex- 
change of parity information about Alice's and/or 
Bob's keys. For processing purposes the key is di- 
vided into blocks of N bits, on which error correction 
is performed while the next block is distributed on the 
quantum channel. Different protocols can be used for 
error correction, the most popular being CASCADE 

Of significant interest are also protocols using Low 
Density Parity Check (LDPC) codes ^\W\. Using 
the technique of Density Evolution fTP^ it is possi- 
ble to construct error correcting codes performing ex- 
tremely close to the Shannon limit 12 . In addition 
to being efficient, error correction protocols based on 
LDPC has another advantageous property. Let dmin 
be the minimal Hamming distance between two code- 
words in the code, i.e. the minimal number of bits 
flips needed to turn a codeword into another. Then 
Alice and Bob's keys differ in at least d^^j^ bits if the 
error correction protocol completes without beeing 
successful. Finding dmin for a code is not solvable in 
polynomial time, but one can find a lower bound. A 
linear code cannot correct more errors than If 
the code performs at the Shannon limit this gives 

dmin = 2NS. (2) 

Note that for optimal efficiency a different code is 
needed for each error rate. Because creating good 
codes is computationally demanding, and therefore a 
time consuming task, a running QKD system would 
need an large set of preestablished codes, each opti- 
mized for a different error rate. 

Both CASCADE and LDPC based protocols re- 
quire an estimate on the error rate. This error esti- 
mation is often done by random sampling. Alice and 
Bob publicly announce some random bit pairs from 



their keys to estimate the error rate. However, the 
estimation can also be done without sacrificing bits. 
For example, in both protocols the error rate of the 
previous block is known to Alice and Bob, and can 
be used as an estimate. 

To make sure that all errors have been corrected, 
Alice and Bob can verify whether their keys are iden- 
tical. This verification process can be done by ex- 
changing parity information |131 114] . Given V parity 
sums announced from a key with a least one error, 
a very good approximation for the probability of an 
undetected error is 



PU\E = 




As an alternative, we propose to exploit the mini- 
mum distance of LDPC codes as follows: After error 
correction Alice and Bob publicly announce V ran- 
domly selected bit pairs. Since any non-identical keys 
have at least dmin errors the probability of not finding 
any errors given that there exist some errors is given 

by 

Pm<{i~^y <{l-2Sf (4) 

This method is simpler and less computational de- 
manding than exchanging parities, but more verifica- 
tion bits are needed to reach the same . 

If the actual error rate for a given block is larger 
than the estimate. Bob might end up with a wrong 
final key. Thus one should add a buffer A to the 
original estimate when running the protocol. The 
chosen value for A depends on the uncertainty in the 
error estimate and the consequences of coding into a 
wrong keyword. If the key only is used to encrypt 
information going from Alice to Bob, Bob having the 
wrong key only makes Alice message unreadable. On 
the other hand, Bob's key is not necessarily covered 
by security proofs if it differs from Alice's, so using 
it to encrypt data would be a breach of security. 

We can now find expressions for the number of bits 
lost in error correction with error estimation by ran- 
dom sampling (EERS), and with verification. As- 
sume that block i has NSi errors. Let e be an upper 
bound for the probability that the error correction 
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step fails in a way such that Alice and Bob unwit- 
tingly end up with different codewords. This bound 
should be valid under any circumstances and arbi- 
trary attacks by Eve. We assume that the error cor- 
rection protocol used is based on LDPC codes, and 
for simplicity we assume that it performs at the Shan- 
non limit for any error rate. 



Error estimation 
(EERS): 



by random sampling 



Random sampling of S bits gives an estimated error 
rate Ss, which is approximately binomial distributed 



with mean Si and variance 



The loss in 



the error estimation and error correction is given by 



their estimate for the error rate. Assuming the worst 
case scenario, Pu\E = the loss is given by 

Lv - {pE-e)N + {l-pE + e){V + Nh{S^-i+Av)) 

(9) 

with V being the number of bits used in verification 
step, and pE being the probability that Bobs raw key 
is transformed into the wrong codeword by the error 
correction protocol. 

Utilizing the minimum length between codewords 
the probability of an error not being detected is given 
by Q. The probability of an undetected error is 
Pu — Pu\ePe- Since we do not know Eve's action we 
have no certain knowledge about the block error rate 
Si, and therefore we cannot bound pE- Thus 



Ls = S+iN- S)h{Ss + As) 



(5) 



with As being the buffer parameter. Assuming that 
sampling only makes a negligible change in the error 
rate of the N — S remaining bits, the probability of 
an undetected error is bounded by 



PU = P{Ss 



< maxP((55 

Si 



As < Si) 

As < S^). 



(6) 



The maximization over all possible values for Si is 
necessary since we have no a priori information about 
the error rate. Using the normal distribution as an 
approximation for the binomial we get 



, -As 

Pu ^ max $ 

Si V cTs 



(7) 



= i (l - ci-i{AsV2S) 



with $ being the cumulative normal distribu- 
tion function. A lower bound for S such that 
P{Ss + As < (5.,) < e is then 



S > 



1 /erf"^(l - 2e) 



A, 



(8) 



Verification: 



Assume that Alice and Bob use the error rate of the 
previous block, (5i„i, plus a buffer parameter Ay as 



Pu<{l 



N 



(10) 



Note that this is independent of the actual error rate. 
Using ([2| we find a lower bound for V to ensure that 
P(7 < e to be 



V > 



log(e) 



log(e) 



log(l-%-) log(l-2((5y + Ay))- 



(11a) 



As noted we can also do the verification by parity 
exchange. The number of bits used in verification is 
then, using (|3|, 

(lib) 



V > 



iog(i; 



For a system where every bit has the same a priori 
probability of being an error. Si and Si^i are both 
normally distributed with mean S and variance ct^. 
In that case we have 



PE = PiSi >Sv + Ay) = $ 



-A. 



(12) 



V2a J ' 

which we can use in ^ to find the total loss. 

Numerical results 

For performance analysis, we first consider a system 
running with mean error rate S and variance between 
block error rates cr^ = i.e. all variance is 
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due to the inherit randomness of the bit values. The 
loss in error correction is then dependent on three 
parameters, the error rate S, the security parameter 
e and the block size N. 

We can minimize the loss from the error correction, 
^ and for different S, e and N, with respect to 
the buffer parameters Aj, j = S,V. Note that when 
running the error correction protocol, the value of the 
buffer parameter is chosen according to the estimates 
^5 and Sv, not the error rate 6. Since these estimates 
are not exact, one will generally choose a suboptimal 
value for Aj, resulting in slightly larger losses than 
the one showed in the following results. Also note 
that the possibility of choosing a suboptimal value 
for Aj is accounted for in security analyses in the 
previous section. 

We define the excessive loss ratio, L^', to be 

Lf = ^-hiS) j = S,V (13) 

Figure [l] shows that the excessive loss ratio is lower 
for verification than for EERS for all error rates S. 
We also see that the difference between the two meth- 
ods of verification is small compared to the difference 
between error correction and verification, especially 
for large 6. Since the difference is close to negligible 



we consider verification by utilizing minimum length 
between codewords in the rest of the discussion. All 
results also apply to verification by parity exchange 
unless noted otherwise. 

There are two main terms contributing to the dif- 
ference, both related to the security parameter e. 
As mentioned, the probability of undetected errors, 
bounded by e, might be of critical importance to the 
security of the protocol. If we use error estimation 
we must have a high buffer parameter A5 to avoid 
such errors. However, if we use verification, we have 
an efficient method to find errors after the error cor- 
rection. The main purpose of Ay is then not to avoid 
all errors, but only to keep the error probability pe 
low to avoid many blocks being thrown away. We 
can then choose a buffer parameter Ay < A5 even 
though our estimate <5i_i is less reliable than Ss- Op- 
timal values for Ay and As are shown in Figure [2] 

The other reason that verification has a smaller 
excessive loss than EERS is that to keep A5 from 
growing too large we must use a large sample size S. 
This sample is much larger than the number of bits 
V used for verification. Actually, as seen in Figure 
[3j V does not give a significant contribution to the 
excessive loss unless we are using the minimal length 
approach on a raw key with very small S. This again 
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Figure 3: Excessive loss ratio from the sampling 
procedure. iV = 10^ e lO"'^ 



shows that the method one chooses for verification, 
exchange of parities or utilizing the minimum length 
between codewords, is not important when it comes 
to excessive loss unless S is very small. 

As shown in Figure |4] the block size N is crucial 
to the excessive loss ratio. For EERS the high loss 
ratio for small N is mainly due to a large part of 
the block being used in the sampling process. Using 
verification this loss is avoided. Here the increased 
loss ratio for small N is due to the larger variance 
between block error rates when N is small. 

In verification, better security, i.e. decreasing the 
security parameter e, demands more bits V used to 
check for error after the error correction. However 
since V ~ loge (11 1, and additionally V ^ Nh{5v + 
Ay), decreasing e only gives a minimal increase in 
the loss ratio Thus, as shown in Figure [s] we can 
increase the security tremendously while sacrificing 
few extra bits if we use verification. In the scheme of 
EERS, as e — > 0, S* increases towards infinity quite 
fast because of the inverse error function in Q . Since 
sampling is a significant part of the loss ratio for all 
but very large N , high security comes with a high 
excessive loss ratio in this scheme. 
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Figure 4: Loss ratio for different block size. 5 = 0.05, 
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Figure 5: Loss ratio for different security parameters 
e. 5^ 0.05, N = 10^. 
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Figure 6: Excessive loss ratio for different block error 
rates and block error rate variance. The block error 
rates are assumed to be independent and normally 
distributed. iV = 10^ e = IQ-^. 

Variable error rates 

In real setups external factors like temperature fluc- 
tuations and calibration routines may cause greater 
variation in the block error rate. Then, using the 
error rate of the last block as our estimate for the 
error rate of the current block, is less reliable. To 
avoid throwing away more blocks due to the less ac- 
curate estimates, the buffer parameter, Ay, must be 
increased. This will lead to increased loss in the pro- 
tocol. Using an EERS scheme, the loss is indepen- 
dent of the block error rate variance. Thus, as shown 
in Figure [6j verification is preferable when the block 
error rate variance is small, while EERS should be 
considered when the variance is high. 

Figure [6] also indicates that the variance for which 
sampling and verification has equal excessive loss 
only depends slightly on 5. Thus the important vari- 
ables are TV and e. As shown in Figure [7] large vari- 
ance favors EERS while small block size and high 
security demands favor verification. 

In real setups the block error rate is not necessarily 
normally distributed. For example. Figure [8] shows 
how the block error rate evolved for a 24-hour run 
of the IdQuantique system Clavis^. In this case it 
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Figure 7: The curves show for which block error rate 
variance and block size EERS and verification has the 
same excessive loss. Verification is the best method 
for parameters in the area to the left of the curves, 
while EERS is best for parameters to the right of the 
curves. 5 = 0.05. 



is difficult to model the block error rate and thus to 
find an optimal Aj. However, as can be seen from 
the figure, in this run Ay — 0.004 would be enough 
to avoid any errors. Minimizing ([s]) with respect to 
As for the relevant iV = 2.6 • 10^ 5 w 0.016, and e = 
10~^ we find the optimal buffer parameter for EERS 
to be As K, 0.009. Thus it seems that verification 
would give the smallest excessive loss for this setup. 
Calculating the actual values we find Ly = 0.023 and 
if = 0.074. However, this is only true as long as it 
continues its current behavior. If the variance in the 
block error rate changes so does the optimal buffer 
parameter and maybe also the optimal method. 

In fact one of the assumption used in calculating 
these results, that we always manage to choose the 
buffer parameter Aj close to its optimal value, might 
not be justified for the verification scheme if the block 
error rate start to fluctuate in an unexpected way. 
Then there is a risk of having loss much larger then 
expected. The EERS scheme is not prone to this 
problem since As might be estimated pretty accu- 
rately from 6s- Thus EERS is recommended for sys- 



6 



0.018- 



0.017 



0.016 



0.015 - 



0.013 



i 










50 



100 150 
Block number 



200 



250 



Figure 8: Block error rate for a 24-hour run of the 
IdQuantique system Clavis^ 



terns with unknown behavior. In this respect the 
IdQuantique system the seems quite stable. Con- 
sidering groups of 50 consecutive blocks, the error 
rate between blocks varies a lot within each group. 
However the distribution of the difference between 
each block is quite similar for all the groups. Es- 
pecially is the maximal difference between two con- 
secutive blocks, which is the important quantity in 
finding a good value for Ay, very similar in all the 
groups. Thus it seems that verification scheme with 
Ay = 0.004 would work fine also for the next 250 
blocks. 

For the 24-hour run of the IDQuntique system 30.9 
percent of the raw key was lost in error correction, 
mostly due to whole blocks beeing discarded. This 
gives an excessive loss ratio of 0.189. It clear that a 
better error correction scheme would be beneficial to 
the systems performance. 

Combination of the methods 

We have seen that using EERS many bits must be 
sacrificed in random sampling to achieve high secu- 
rity. On the other hand, when the variance in the 
block error rate is high, doing verification and using 
the previous block as an estimate for the error rate 
also has large excessive loss since the estimate is not 



Error rate 


Method 


A 


s+v 

N 




5 = 0.05 


EERS 

Combination 


0.0126 
0.0081 


0.036 
0.023 


0.075 
0.053 


5 = 0.01 


EERS 

Combination 


0.0122 
0.0077 


0.038 
0.025 


0.105 
0.076 



Table 1: Results for EERS and a combination of 
EERS and verification. 

very accurate. Thus, if the block error rate variance 
is high and we want high security combining the two 
methods make sense. 

The loss related to error correction using both 
EERS and verification is, again assuming Pu^e — £j 

Lc ={PE - e)N + {1 - pE + e) (14) 
■{S + V + {N-S)h{Sc + Ac)). 

Just like for EERS the loss is independent of the vari- 
ance and the method is robust against wild fluctua- 
tions in the block error rate. 

Using the results from the EERS as our estimate 
6c, the probability pe of an error after the error cor- 
rection step is the same as the probability given in 
([t]) with Ac for A5. Using verification by parity ex- 
change the probability of an undetected error is then 



Pu = Pu\E Pe 



v+i 



1 - erf(AcV2S') . (15) 



For a given security parameter e the number of 
bits used in error estimation is then related to the 
bits used in verification by 

V = log(l - erf (A\/25)) - log e - 1 (16) 



We define the excessive loss as in ( 13 ) with j — C 



This can now be minimized with respect to the buffer 
parameter Ac and the sampling size S. 

For e = 10~^ and N ~ 10^ the results are shown 
m Table [ij We clearly see that using a combination 
of the methods leads to an improvement in perfor- 
mance compared to EERS alone. We expect this im- 
provement to be even more profound if we demand 
higher security (decreases e), or for small block sizes, 
as these are scenarios where verification significantly 
outperforms EERS. 
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To compare the combination method with verifica- 
tion we can compare the results from Table [l] with 
Figure [6] As the performance of the combination 
method is independent of variance we infer that it 
outperforms verification when the variance is larger 
than 0.004 while verification is better for tr < 0.003. 

Going back to the block error rate from the 
IdQuantique system we find = 0.054 for com- 
bination of the methods. Thus the variance between 
block error rates is so small that it seems verification 
only is the best approach for this system. 

Conclusion 

Due to the uncertainty about the true value of the 
block error rate some bits need to be sacrificed to de- 
crease the probability that Alice and Bob have unde- 
tected errors in their keys. This can be done by EERS 
before the error correction protocol, or by verification 
after the protocol. We find that verification gener- 
ally outperforms EERS, however if the variance in 
the block error rate is large EERS is the best choice. 
To minimize the loss in error correction it is therefore 
important to have a QKD system with a stable error 
rate. 

We propose a combination of the two methods 
that generally outperforms EERS. This combination 
method, and EERS, are both robust against changes 
in the behavior of the error rate. If one only does 
verification, large losses might occur if the block er- 
ror rate changes unexpectingly. Thus the combina- 
tion method should be used when the variance of the 
block error rate is high or when the change in the 
error rate between blocks is unknown or susceptible 
to unpredictable fluctuations. 

We also show that utilizing the minimum distance 
of LDPC codes provides a fast and efficient way to 
do verification. 
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